Hi all. We received a bulletin that our UF certificates were expiring. I downloaded the credentials package and installed them per documentation on my deployment server using <...install app...-update 1...>
That appears to have updated the APPS 100_xxxx_splunkcloud folder/files but my question is:
1. Doesn't the DEPLOYMENT-APPS 100_xxxx_splunkcloud folder/files need to be updated to get the updated credentials to all of my UF's?
2. How can I validate the new certificate date on my Window's UF's and on my HF's?
Thanks in advance.
Question #2
This won't tell you the version but will indicate whether the new package is up to date.
The fwd_config field will tell you either it is the "legacy" or "new" package.
index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>.+?)\:"
| eval fwd_config=if(output_group="splunkcloud","legacy","new")
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config
@woodcock Hi Woodcock. Any suggestions you can offer on my post would be appreciated! Thanks.